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Wireless Sensor Networks (WSN) support data collection and distributed 
data processing by means of very small sensing devices that are easy to 
tamper and cloning: therefore classical security solutions based on access 
control and strong authentication are difficult to deploy. In this paper we 
look at the problem of assessing security of node localization. In particular, 
we analyze the scenario in which Verifiable Multilateration (VM) is used to 
localize nodes and a malicious node (i.e., the adversary) try to masquerade as 
non-malicious. We resort to non-cooperative game theory and we model this 
scenario as a two-player game. We analyze the optimal players' strategy and 
we show that the VM is indeed a proper mechanism to reduce fake positions. 
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1 Introduction 



Wireless Sensor Networks (WSN) [U [2] technologies support data collection and dis- 
tributed data processing by means of very small sensing devices. Nowadays, sensors are 
used in many contexts such as surveillance systems, systems supporting traffic moni- 
toring and control in urban/suburban areas, military and/or anti-terrorism operations, 
telemedicine, assistance to disabled and elderly people, environmental monitoring, local- 
ization of services and users, and industrial process control. This activities rely greatly 
on data about the positions of sensor nodes. Nodes are often deployed randomly or 
move, and one of the challenges is computing localization at time of operations. Several 
localization approaches have been proposed (for example, O 01 El El [H EH]), but 
most of the current approaches omit to consider that WSNs could be deployed in an 
adversarial setting, where hostile nodes under the control of an attacker coexist with 
faithful ones. In fact, wireless communications are easy to tamper and nodes are prone 
to physical attacks and cloning: thus classical solutions, based on access control and 
strong authentication, are difficult to deploy. 

An approach to localize nodes even when some of them are compromised was proposed 
in [11] and it is known as Verifiable Multilateration (VM). However, in some situations 
also using Verifiable Multilateration the security localization behavior of a node is un- 
defined, in other words there is not enough information for considering it a secure or 
malicious node. This weakness could be exploited by a malicious node to masquerade as 
an undefined one, pretending to be in a position that is still compatible with all verifiers' 
information. To the best of our knowledge, the analysis of this scenario has not been 
explored so far in the literature: we explicitly consider how a malicious node, on the one 
side, could act and, on the other side, how the system could face it. This constitutes the 
original contribution of our work. 

In this paper, we resort to non-cooperative game theory to study our scenario. More 
precisely, we model it as a two-player strategic-form game, where the first player is a 
verifier that uses VM and the second player is a malicious node. The verifier acts to 
securely localize the malicious node, while the malicious node acts to masquerade as 
undefined. As is customary in game theory, the players are considered rational (i.e., 
maximizers). This amounts to say that the malicious node is modeled as the strongest 
adversary. We study the game, showing some results concerning the robustness of VM. 
The paper is organized as follows: Section [2] provides a short overview about Verifiable 
Multilateration; Section [3] shortly describes secure localization game, providing some 
basic concepts; Section [4] introduces strategic game analysis. Section [5] draws some 
conclusions and provides hints for future works. 

2 Verifiable Multilateration 

Multilateration is a technique used in WSNs to estimate the coordinates of the unknown 
nodes, given the positions of some given landmark nodes, called anchor nodes, whose 
positions are known. The position of the unknown node U is computed by geometric 
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Figure 1: Verifiable multilateration 

inference based on the distances between the anchor nodes and the node itself. However, 
the distance is not measured directly; instead, it is derived by knowing the speed of the 
signal in the medium used in the transmission, and by measuring the time needed to get 
an answer to a beacon message sent to U. 

Unfortunately, if this computation is carried on without any precaution, U might fool 
the anchors by delaying the beacon message. However, since a malicious node can delay 
the answer beacon, but not speed it up, under some conditions it is possible to spot 
malicious behaviors. VM uses three or more anchor nodes to detect misbehaving nodes. 
In VM the anchor nodes work as verifiers of the localization data and they send to 
the sink node B the information needed to evaluate the consistency of the coordinates 
computed for U. The basic idea of VM is shown in Figure [T] each verifier Vi computes 
its distance bound [12] to U ; any point P inside the triangle formed by V\ , Vi , V3 has 
necessarily at least one of the distance to the Vi enlarged. This enlargement, however, 
cannot be masked by U by sending a faster message to the corresponding verifier. 

Under the hypothesis that verifiers are trusted and they can securely communicate 
with B, the following verification process can be used to check the localization data: 

1. Each verifier Vi sends a beacon message to U and records the time needed to 
get an answer; 

2. Each verifier Vi (whose coordinates (xi,yi) are known) sends to B a message with 
its n; 

3. From Tj, B derives the corresponding distance bound dbi (that can be easily com- 
puted if the speed of the signal is known) and it estimates U's coordinates by 
minimizing the sum of squared errors 

6 = Y,(dbi - V(x-*i) 2 + (y-y l ) 2 ) 2 

i 

where (x, y) are the (unknown) coordinates to be estimated^ 

4. B can now check if (x, y) are feasible in the given setting by two incremental tests: 
(a) 5 -test: For all verifiers V{, compute the distance between the estimated U and 

1 In an ideal situation where there are no measurement errors and/or malicious delays this is equivalent 
to finding the (unique) intersection of the circles defined by the distance bounds and centered in the 
Vi (see Figure [TJ and e = 0. 
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Vi\ if it differs from the measured distance bound by more than the expected 
distance measurement error, the estimation is affected by malicious tampering; 
(b) Point in the triangle test: Distance bounds are reliable only if the estimated U 
is within at least one verification triangle formed by a triplet of verifiers, otherwise 
the estimation is considered unverified. 

If both the 8 and the point-in-the-triangle tests are positive, the distance bounds 
are consistent with the estimated node position, which moreover falls in at least one 
verification triangle. This means that none of the distance bounds were enlarged. Thus, 
the sink can consider the estimated position of the node as Robust; else, the information 
at hands is not sufficient to support the reliability of the data. An estimation that does 
not pass the 5 test is considered Malicious. In all the other cases, the sink marks the 
estimation as Unknown. In an ideal situation where there are no measurement errors, 
there are neither malevolent nodes marked as Robust, nor benevolent ones marked as 
Malicious. Even in this ideal setting, however, there are Unknown nodes, that could 
be malevolent or not. In other words there are no sufficient information for evaluating the 
trustworthiness of node position. In fact, U could pretend, by an opportune manipulation 
of delays, to be in a position P that is credible enough to be taken into account. No such 
points exist inside the triangles formed by the verifiers (this is exactly the idea behind 
verifiable multilateration) , but outside them some regions are still compatible with all 
the information verifiers have. 

Consider N verifiers that are able to send signals in a range R. Let xq and yo the 
real coordinates of U. They are unknown to the verifiers, but nevertheless they put a 
constraint on plausible fake positions, since the forged distance bound to V{ must be 
greater than the length of UVi. 

Thus, any point P = (x, y) that is a plausible falsification of U has to agree to the 
following constraints, for each 1 < i < N: 



The constraints in ([I]) can be understood better by looking at Figure [2j where three 
verifiers are depicted: the green area around each verifier denotes its power range, and 
the red area is the bound on the distance that U can put forward credibly. Thus, any 
plausible P must lay outside every red region and inside every green one. 

3 Secure localization game 

Our aim is the study of the behavior of a possible malicious node that acts to masquerade 
as an unknown node and, at the same time, how the malicious node can be faced at 
best by the verifiers. This is a typical non-cooperative setting that can be analyzed by 
leveraging on game theoretical models. A game is described by a couple: mechanism and 
strategies. The mechanism defines the rules of the game in terms of number of players 
and actions available to the players. The strategies describe the behaviors of the players 
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Figure 2: Plausible falsification region: P is a plausible fake position for U since lays 
outside every red region and inside every green one (and it is outside the 
triangle of verifiers). 

during the game in terms of played actions. Strategies can be pure, when a player acts 
one action with a probability of one, or they can be mixed, when a player randomizes over 
a set of actions. The players' strategies define an outcome (if the strategies are pure) or a 
randomization over the outcomes (if mixed) . Players have preferences over the outcomes 
expressed by utility functions and each player is rational, acting to maximize its own 
utility. Solving a game means to find a profile of strategies (i.e., a set specifying one 
strategy for each player) such that the players' strategies are somehow in equilibrium. 
The most known equilibrium concept is Nash where each player cannot improve its own 
utility by deviating unilaterally (a detailed treatment of Nash equilibrium can be found 
in [13]): a fundamental result in the study of equilibria is that every game admits at 
least one Nash equilibrium in mixed strategies, while pure strategy equilibrium might 
not exist. 

We now formally state our secure localization game, by focusing on a setting with 
N = 3 verifiers. It is a tuple (Q, A, u). Set Q contains the players and is defined as Q = 
{v, m} (v denotes the verifiers and m denotes the malicious node). Set A contains the 
players actions. More precisely, given a surface SCM 2 , the actions available to v are all 
the possible tuples of positions (Vi, V2, V3) of the three verifiers with Vi, V2, V3 S <S, while 
the actions available to m are all the possible couples of positions (U, P) with U,P £ S 
(where U and P are defined in the previous section). We denote by a v the strategy 
(possibly mixed) of v and by <r m the strategy (possibly mixed) of m. Given a strategy 
profile a = (cr v , c m ) in pure strategy, it is possible to check whether or not constraints ([I]) 
are satisfied. The outcomes of the game can be {malicious, robust, unknown}. Set u 
contains the players' utility functions, denoted u v (-) and u m (-) respectively, that define 
their preferences over the outcomes. We define Ui (malicious) = U{ (robust) = for 
i G {v, m}, while (unknown) can be defined differently according to different criteria. 
A simple criterion could be to assign u v (unknown) = — 1 and u m (unknown) = 1. 
However, our intuition is that the unknown outcomes are not the same for the players, 
because m could prefer those in which the distance between U and P is maximum. In 
particular we propose three main criteria to characterize unknown outcomes: 



1. maximum deception, u m is defined as the distance between U and P, while u v is 
defined as the opposite; 

2. deception area, u m is defined as the size of the region S' C S such that P E S' is 
marked as unknown, while u v is defined as the opposite; 

3. deception shape, u m is defined as the number of disconnected regions S' C S such 
that P G S' is marked as unknown, while u v is defined as the opposite. 

Players could even use different criteria, e.g., v and m could adopt the maximum de- 
ception criterion and the deception shape respectively. However, when players adopt 
the same criterion, the game is zero-sum, the sum of the players' utilities being zero. 
This class of games is easy and has the property that the maxmin, minmax, and Nash 
strategies are the same. In this case calculations are simplified by the property that 
u v = —u m ; in the following we shall adopt this assumption. 

4 Game Analysis 

For the sake of simplicity, we focus on the case in which both players adopt the maximum 
deception criterion. In principle, however, our analysis can be extended to other criteria: 
in particular, Theorem |4.1| is valid for all the proposed criteria. 

4.1 Analysis with Pure Strategies 

In this section, we show that there can be no equilibrium in pure strategies. We discuss 
also what is the value of the maximum deception when the verifiers adopts a pure 
strategy. We consider only the case in which Wi,jViVj < R since otherwise the region in 
which VM would be applicable is small and no unknown positions would be possible, 
thus paradoxically the verifiers would have an incentive to reduce it further to only one 
point, making the localization procedure worthless. 

At first, we can show that for each action of the verifiers, there exists an action of the 
malicious node such that this is marked as unknown. 



Theorem 4.1 For each tuple (Vi, V2, V3) such that ViVj < R for all i,j, there exists at 
least a couple (U, P) such that u m > 0. 

Proof. Given V\, V2, V3 such that ViVj < R for all i,j, choose a V{ and call X the point 
on the line VkVj (k,j ^ i) closest to V$. Assign U = X. Consider the line connecting Vi 
to X, assign P to be any point X' on this line such that V.X < ViX' < R. Then, by 
construction u m > 0. □ 

We discuss what is the configuration of the three verifiers, such that the maximal 
deception is minimized. 

Theorem 4.2 Any tuple (V\, V2, V3) such that ViVj = R for all i,j minimizes the max- 
imum deception. 
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Proof. Since we need to minimize the maximum distance between two points, by 
symmetry, the triangle whose vertexes are V\ , V2, V3 must have all the edges with the 
same length. We show that ViVj = R. It can easily seen, by geometric construction, that 
U must be necessarily inside the triangle. As shown in Section 2, P must be necessarily 
outside the triangle and, by definition, the optimal P will be on the boundary constituted 
by some circle with center in a Vi and range equal to R (otherwise P could be moved 
farther and P would not be optimal). As V L Vj decreases, the size of the triangle reduces, 
while the boundary keeps to be the same, and therefore UP does not decrease. □ 

We are now in the position to find the maxmin value (in pure strategies) of the verifiers, 
i.e., the action that maximizes the verifiers' utility given that the malicious node will 
minimize it. The problem of finding the maxmin strategy can be formulated as the 
following non-linear optimization problem: 



max UP 

constraints (1) 



for some V\ , V2 , V3 with 
ViVj = R for all i,j 



We solved this problem by using conjugated subgradients. We report the solution. 
Called W the orthocenter of the triangle, U and P can be easily expressed with polar 
coordinates with origin in W. We assume that 9 = corresponds to a line connecting W 
to a V t . We have, U = (p = 0.1394R, 9 = § ) and P = (p = 0A286R, 9 = f+0.2952), and, 
for symmetry, U = (p = 0.1394R,6> = -f ) and P = (p = 0.4286i?,6> = -f - 0.2952). 
Therefore, there are six optimal couples (U, P)s. In Figure [3] depicts the malicious node's 
best action, by showing on the right all the symmetrical positions. The value of u m (i.e., 
the maximum deception) is 0.2516-R. In other words, when the verifiers compose an 
equilateral triangle, a malicious node can masquerade as unknown and the maximum 
deception is about 25% of the verifiers' range R. 
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Figure 3: Malicious node's best responses. 
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We consider the verifiers' strategy and we show that for each action of the malicious 
node they can find an action such that the malicious node is marked either as robust 
or as MALICIOUS. 



Theorem 4.3 For each couple (U,P), there exists at least a tuple (V\, V2, V3) such that 
u v = 0. 

Proof. If U = W (where W is the orthocenter of the equilateral triangle composed by 
the verifiers), then, by geometric construction, maximum deception is zero (we omit the 
calculation for reasons of space). □ 



By combining Theorems |4.1| and 4.3, we have that our game cannot admit any Nash 
equilibrium in pure strategies. Indeed, for each a v there exists a best response a m such 
that <7 V is not the best response to <r m . 

4.2 Discrete Approximation Hardness 

Finding a mixed strategy equilibrium in a two-player zero-sum finite game is well known 
to be a polynomial problem in the number of actions available to the players. This 
is because the problem of finding a minmax strategy can be formulated as a linear 
mathematical programming problem. However, our problem is not finite, V\, V2, V3, U, P 
belonging to a continuous space. In this section, we show that finding an approximate 
solution by discretizing the surface S in a finite number of points is not practically 
affordable. 

We discretize S by a finite grid with a given step A. We call Sd C S the set of points in 
the grid. The players can choose their position from set Sd- We denote by A v and A m the 
set of actions of the verifiers and malicious node respectively. Supposed Sd to be a square 
and called I the length of S, the number of points in Sd is \Sd\ = \^] 2 - We have that 

l^vl = Es<i<\v\ ( lS f) ~ 0(\S d \ 6 ) and \A m \ = \S d \ 2 ■ (\S d \ 2 - 1) ~ 0(\S d \*)- For each 
possible profile of players' actions we compute u m as the maximum deception. Notice 
that the number of all the possible profiles of players' actions is ~ 0(\Sd\ 10 )- We denote 
by Pv(i) the probability with which v plays action i G A v . The linear programming 
formulation to find the minmax strategy (and equivalently the Nash equilibrium) is: 

minK (2) 
Pu(i)u m (j,i) <u V j e A m (3) 



i£A v 



Pu(«) > Vi G A v (4) 
= 1 (5) 



Constraints ^ force the expected utility m receives from taking action j to be not larger 
than u; constraints Q and ([5]) grant probabilities p m (-) to be well defined. The objective 
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function is the minimization of u that by constraints ([3]) is the maximal expected utility 
of m. 

We solved the above mathematical programming problem with grids with 3, 4, 5 points 
per edge. In all these case studies, the verifiers always mark the malicious node as robust 
or malicious, and therefore u m is always equal to zero. We notice that the utility matrix 
presents a number of non-null values, anyway, there exists at least a configuration of 
verifiers such that for no action of the malicious node this is marked as unknown. This 
is because the grid is too loose. However, with a larger number of points per edge, the 
problem is not computationally affordable because the number of outcomes is excessively 
large. 



4.3 Mixed Strategies with a Fixed Orthocenter 

The hardness result discussed in the previous section pushes us to resort to an analytical 
approach to find the players' equilibrium strategies. Here, we discuss the strategies in a 
simplified case study. The idea is that this result can provide insight to solve the general 
case. 

At first we show that any equilibrium strategy prescribes that the players randomize 
over a continuous space of action. Call supp(ai) the set of actions played with strictly 
positive probability by player i in (Tj. 

Theorem 4.4 In the secure localization game, no equilibrium strategy a = (a v , <r m ) can 
have \supp(o~i)\ G N (i.e., supp(ai) is a continuous space). 

Proof. A necessary and sufficient condition such that a game with continuous actions 
admits an equilibrium where players randomize over a finite number of actions is that 
the continuous variables in the players' utility functions are separable, i.e., the utility 
functions can be expressed as the product of terms composed of only sum of variables. 
This does not hold in our case. □ 

We consider the situation in which the orthocenter W of the triangle constituted of 



the three verifiers is a given data. By Theorem 4.2, we know that the optimal verifiers' 
configuration is the equilateral triangle with edge's length equal to R. Consider the polar 
coordinate system with pole in the orthocenter W . Call a the angle between the polar 
axis and the line connecting a vertex Vi to W . Since the verifiers must form an equilateral 
triangle and the verifiers have distance equal to R from the pole, the verifiers' strategy 
can be compactly represented as a probability density over a. Instead, the malicious 
node's strategy can be represented as a probability density over U and P. We can show 
that the players' equilibrium strategies are the following. 
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Theorem 4.5 The players' equilibrium strategies are: 



2-7T 

a* = a uniformly drawn from [0, — ] 

3 




0.1394R 

uniformly drawn from [0, 2ir] 

0.4286i? 

0u + 0.2952 



and the expected utility of the malicious node is 0.001-R. 



Proof. By Theorem 4.4 the players must randomize over a continuous space of actions. 
We consider the verifiers' strategy. Easily, for symmetry reasons, the verifiers must 
randomize uniformly over all the possible values of a. In particular, we can safely 
limit the randomization over [0, 2/37r]. We consider the malicious node's strategy. For 
symmetry, it randomize such that 9 U is uniformly drawn from [0, 2ir]. In order to compute 
the optimal pjj and the polar coordinates of P, we solve the following optimization 
problem. We fix a value for 6 U and we search for the values of pu,pp,6p such that the 
malicious node's expected utility is the maximum one. 

max / -i^da (6) 



Pu,Ppfip jo 

The above optimization problem is non-linear. We solved it by discretizing the value of 
a with a step of 10 -3 and by using conjugated subgradients. The result is the strategy 
reported above. □ 
Notice that, the expected utility of the malicious node drastically decreases with re- 
spect to the situation in which the strategy of the verifiers is pure, as it is O.OOli? with 
mixed strategy vs. 0.25ii with pure strategies. This is because with mixed strategies, 
the probability that the malicious node is not marked as robust or malicious is very 
small. Therefore, randomization over their strategies aids the verifiers to increase their 
expected utility and VM with mixed strategies can be considered to be robust. 



5 Conclusion 

The knowledge about the security of wireless sensor node localization information is 
a fundamental challenge in order to provide trust applications and data. Verifiable 
Multilateration is a secure localization algorithm that defines two tests for evaluating 
node behavior as malicious, or robust or in the worst unknown. In case of 

unknown node, VM does not have enough information for evaluating the trustworthiness 
of the node. This lack of information may be exploited by malicious user. In this paper, 
in order to improve the knowledge about the secure localization behavior VM has been 
modelled as game, by means of game theory concepts. In fact a verifier is the first 
player, while a malicious node is the second player. Particularly we have analyzed the 
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behavior in case of the adoption of both a pure strategy and a mixed one. The conducted 
analysis demonstrates that, when the verifiers play a pure strategy, the malicious node 
can always masquerade as unknown with a probability of one and the deception is not 
negligible. When the verifiers play mixed strategies, the malicious node can masquerade 
as unknown with a very low probability and the expected deception is negligible. In 
the future, we shall consider situations where a malicious attacker can manipulate more 
nodes. 
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